EP3068093B1 - Security authentication method and bidirectional forwarding detection method - Google Patents

Security authentication method and bidirectional forwarding detection method Download PDF

Info

Publication number
EP3068093B1
EP3068093B1 EP14869208.0A EP14869208A EP3068093B1 EP 3068093 B1 EP3068093 B1 EP 3068093B1 EP 14869208 A EP14869208 A EP 14869208A EP 3068093 B1 EP3068093 B1 EP 3068093B1
Authority
EP
European Patent Office
Prior art keywords
bfd
token value
packet
local
control plane
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP14869208.0A
Other languages
German (de)
French (fr)
Other versions
EP3068093A4 (en
EP3068093A1 (en
Inventor
Peilin Yang
Tao Han
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of EP3068093A1 publication Critical patent/EP3068093A1/en
Publication of EP3068093A4 publication Critical patent/EP3068093A4/en
Application granted granted Critical
Publication of EP3068093B1 publication Critical patent/EP3068093B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a security authentication method and a bidirectional forwarding detection BFD device.
  • the Bidirectional Forwarding Detection (Bidirectional Forwarding Detection, BFD) protocol can rapidly detect a communication fault between neighboring network devices, and a network device can switch traffic over to a backup link according to the rapidly detected fault, to speed up network convergence, thereby ensuring continuation of a service, reducing impact of a device fault or link fault on the service, and improving network availability.
  • a BFD device includes a control plane formed by a general CPU processor and a data plane formed by a network processor (network processor, NP).
  • the BFD protocol supports three security authentication manners: (1) an authentication manner based on a simple password; (2) authentication based on message digest algorithm 5 (message digest algorithm 5, MD5); and (3) authentication based on Security Hash Algorithm 1 (security hash algorithm 1, SHA1); however, in the data plane, there is no manner of security authenticating a BFD packet by the NP yet in any prior art.
  • CN 102 932 318 A discloses a verification method and node for a BFD session.
  • the method includes: an initiating node adds a first random number generated by the initiating node to a first BFD control packet and sending the first BFD control packet added with the first random number to a remote node.
  • the remote node obtains and saves the first random number generated by the initiating node in the received first BFD control packet.
  • the remote node adds a second random number generated by the remote node to the received first BFD control packet, and sends the first BFD control packet added with the second random number to the initiating node.
  • the initiating node obtains and saves the second random number generated by the remote node in the received second BFD control packet.
  • the present invention provide a security authentication method and a bidirectional forwarding detection BFD device.
  • a security authentication method including:
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
  • the authentication information further includes a token value
  • the method further includes:
  • control plane of the local BFD device generates the first token value by using a hash algorithm.
  • the data plane of the local BFD device generates the second token value by using a hash algorithm the same as that of the control plane of the local BFD device.
  • the first BFD packet further carries an expiration time of the first token value
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes: generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • a general CPU processor such as an X86 processor
  • the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • the random nonce is carried by extending fields of the first BFD packet and second BFD packet.
  • the first BFD packet further includes authentication request information
  • the authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1
  • the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • a security authentication method including:
  • the method further includes:
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
  • the first BFD packet further carries an expiration time of the first token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • the first BFD packet further carries an expiration time of the first token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, the password, and the expiration time and by using a third hash algorithm.
  • the first BFD packet further carries an expiration time of the token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a fourth hash algorithm.
  • the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • a general CPU processor such as an X86 processor
  • the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • the random nonce is carried by extending fields of the first BFD packet.
  • the second token value is carried by extending fields of the second BFD packet.
  • the first BFD packet further includes authentication request information
  • the authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1
  • the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • a bidirectional forwarding detection BFD device including a control plane and a data plane, where the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane; and the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce; generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet;
  • a bidirectional forwarding detection BFD device including a control plane and a data plane, where
  • control plane is further configured to: after the first token value is generated, and before the data plane of the local BFD device receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
  • An embodiment of the present invention provides a security authentication method. Referring to FIG. 1 , the method includes the following operations:
  • a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
  • the generating, by the control plane of the local BFD device, the token value according to the random nonce includes:
  • the authentication information further includes a token value
  • the method further includes:
  • control plane of the local BFD device generates the first token value by using a hash algorithm.
  • the data plane of the local BFD device generates the second token value by using a hash algorithm the same as that of the control plane of the local BFD device.
  • the first BFD packet further carries an expiration time of the first token value
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes: generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • general CPU processor such as an X86 processor
  • data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • the random nonce is carried by extending fields of the first BFD packet and second BFD packet.
  • the first BFD packet further includes standard authentication request information
  • the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1
  • the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • An embodiment of the present invention provides another security authentication method. Referring to FIG. 2 , the method includes the following operations:
  • the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
  • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
  • the first BFD packet further carries an expiration time of the first token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, the password, and the expiration time.
  • the first BFD packet further carries an expiration time of the first token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • the first BFD packet further carries an expiration time of the first token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a third hash algorithm.
  • the first BFD packet further carries an expiration time of the token value
  • the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a fourth hash algorithm.
  • control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • general CPU processor such as an X86 processor
  • data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • the random nonce is carried by extending fields of the first BFD packet.
  • the second token value is carried by extending fields of the second BFD packet.
  • the first BFD packet further includes standard authentication request information
  • the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1
  • the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • FIG. 3 shows a BFD packet sent by an original data plane
  • FIG. 4 shows a BFD packet sent by an original control plane, and a difference between the packet and the BFD packet that is sent by the original data plane shown in FIG. 3 is that an MD5/SHA1 authentication field is added in the packet
  • FIG. 5 and FIG. 6 present details of authentication fields in the BFD packet shown in FIG. 4 ;
  • FIG. 3 shows a BFD packet sent by an original data plane
  • FIG. 4 shows a BFD packet sent by an original control plane, and a difference between the packet and the BFD packet that is sent by the original data plane shown in FIG. 3 is that
  • FIG. 7 shows a BFD packet that is sent by an extended control plane, where the BFD packet carries a random nonce, where a random nonce Random nonce field is added to original authentication types (for example, Auth Type based on MD 5 or SHA1 is 2/3/4/5), and to be compatible with a previous protocol, one bit R is reserved in an original 8-bit reserved field, and used to represent Random nonce, that is, if a value of R is 1, it indicates that Random nonce exists, and M of 1 bit represents message type of a request message or a response message; and FIG.
  • a random nonce Random nonce field is added to original authentication types (for example, Auth Type based on MD 5 or SHA1 is 2/3/4/5), and to be compatible with a previous protocol, one bit R is reserved in an original 8-bit reserved field, and used to represent Random nonce, that is, if a value of R is 1, it indicates that Random nonce exists, and M of 1 bit represents message type of a request message or a response message; and
  • FIG 8 shows a BFD packet sent by an extended data plane in this embodiment of the present invention, where the BFD packet carries at least one of a random nonce and a token value, where a new authentication type Auth Type: Token Auth is newly added, for example, the type is 6, and in this type, either of the fields Random nonce and Token exists or both exist at the same time, and Expiration Time or Sequence Number may also exist.
  • Auth Type Token Auth is newly added, for example, the type is 6, and in this type, either of the fields Random nonce and Token exists or both exist at the same time, and Expiration Time or Sequence Number may also exist.
  • Step 1 A control plane of a peer BFD device sends a first BFD packet that includes standard authentication request information (for example, Auth Type based on MD5 or SHA1 is 2/3/4/5) to a control plane of a local BFD device, where the first BFD packet further carries a random nonce generated by the peer BFD device, and the first BFD packet may further carry an expiration time Expiration Time or a Sequence Number.
  • standard authentication request information for example, Auth Type based on MD5 or SHA1 is 2/3/4/5
  • Step 2 The control plane of the local BFD device calculates a first token value according to the random nonce and by using a hash algorithm after successfully authenticating the first BFD packet, where the first token value may be generated according to the random nonce, and a source IP address and a destination IP address that are included in the first BFD packet, or may be generated according to the random nonce, a source IP address and a destination IP address that are included in the second BFD packet, and the expiration time.
  • Step 3 The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
  • Step 4 The control plane of the local BFD device sends the first token value to the control plane of the peer BFD device by using a response packet of the first BFD packet, where this step is optional, that is, the first token value may not be sent.
  • Step 5 The control plane of the peer BFD device sends the received first token value to the data plane, where this step is also optional, that is, if step 3 is not performed, step 4 is not performed either.
  • Step 6 After a BFD session is up, the data plane of the peer BFD device sends the second BFD packet encapsulated with the random nonce Random nonce to the data plane of the local BFD device.
  • the second BFD packet may also include a token value.
  • Step 7 The data plane of the local BFD device generates a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device, and performs comparison to determine whether the second token value is the same as the first token value, and the data plane of the local BFD device successfully authenticates the second BFD packet if the second token value is the same as the first token value.
  • the data plane of the local BFD device may generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a hash algorithm the same as that of the control plane, or the data plane of the local BFD device generates the second token value according to the random nonce included in the authentication information, a source IP address and a destination IP address in the second BFD packet, and the expiration time and by using a hash algorithm the same as that of the control plane.
  • the method further includes:
  • Step 1 A control plane of a peer BFD device sends a first BFD packet that includes standard authentication request information (for example, Auth Type based on MD5 or SHA1 is 2/3/4/5) to a control plane of a local BFD device, where the first BFD packet further carries a random nonce generated by the peer BFD device, and the first BFD packet may further carry an expiration time Expiration Time or a Sequence Number.
  • standard authentication request information for example, Auth Type based on MD5 or SHA1 is 2/3/4/5
  • Step 2 The control plane of the local BFD device calculates a first token value according to the random nonce by using a hash algorithm after successfully authenticating the first BFD packet, where the first token value may be generated according to the random nonce and a password that is included in the standard authentication request information, or may be generated according to the random nonce, the password that is included in the standard authentication request information, and the expiration time Expiration Time.
  • Step 3 The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
  • Step 4 The control plane of the local BFD device sends the first token value to the control plane of the peer BFD device by using a response packet of the first BFD packet.
  • Step 5 The control plane of the peer BFD device sends the received first token value to the data plane.
  • Step 6 After a BFD session is up, the data plane of the peer BFD device sends the second BFD packet encapsulated with the second token value to the data plane of the local BFD device.
  • Step 7 The data plane of the local BFD device performs comparison to determine whether the second token value is the same as the received first token value sent by the control plane, and if the second token value is the same as the first token value, the data plane of the local BFD device successfully authenticates the second BFD packet.
  • an embodiment of the present invention further provides a bidirectional forwarding detection BFD device 1100, including a control plane 1101 and a data plane 1102.
  • the control plane 1101 is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane 1102.
  • the data plane 1102 is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce; generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet;
  • the authentication information further includes a token value
  • the data plane is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value included in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • An embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including a control plane and a data plane.
  • the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane.
  • the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a second token value; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • control plane is further configured to: after the first token value is generated, and before the data plane of the local BFD device receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • the first BFD packet further includes standard authentication request information
  • the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password
  • control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • an embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including an interface 1201, a general CPU processor 1202, a network processor 1203, and a bus 1204, where the interface 1201, the general CPU processor 1202, and the network processor 1203 are connected and perform mutual communication by using the bus 1204.
  • a bidirectional forwarding detection BFD device including an interface 1201, a general CPU processor 1202, a network processor 1203, and a bus 1204, where the interface 1201, the general CPU processor 1202, and the network processor 1203 are connected and perform mutual communication by using the bus 1204.
  • the bus 1204 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, a peripheral component interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, or the like.
  • ISA Industry Standard Architecture
  • PCI peripheral component interconnect
  • EISA Extended Industry Standard Architecture
  • the bus 1204 may be classified into an address bus, a data bus, a control bus, and the like. For the ease of representation, the bus is represented only by a line in the figure, but it does not indicate that there is only one bus or only one type of bus.
  • the interface 1201 receives a first BFD packet sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
  • the general CPU processor 1202 is configured to generate a first token value according to the random nonce; and send the first token value to the network processor 1203.
  • the interface 1201 is further configured to receive a second BFD packet sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce.
  • the network processor 1203 is configured to generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the general CPU processor 1202, perform comparison to determine whether the second token value is the same as the first token value, and if the second token value is the same as the first token value, successfully authenticate the second BFD packet.
  • the general CPU processor 1202 is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • the network processor 1203 is specifically configured to generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the BFD device.
  • the authentication information further includes a token value
  • the network processor 1203 is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value included in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • An embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including an interface 1301, a general CPU processor 1302, a network processor 1303, and a bus 1304, where the interface 1301, the general CPU processor 1302 and the network processor 1303 are connected and perform mutual communication by using the bus 1304.
  • the bus 1304 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, a peripheral component interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, or the like.
  • the bus 1204 may be classified into an address bus, a data bus, a control bus, and the like. For the ease of representation, the bus is represented only by a line in the figure, but it does not indicate that there is only one bus or only one type of bus.
  • the interface 1301 receives a first BFD packet sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
  • the general CPU processor 1302 is configured to generate a first token value according to the random nonce; and send the first token value to the network processor 1303.
  • the interface 1301 is further configured to receive a second BFD packet sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a token value.
  • the network processor 1303 is configured to perform comparison to determine whether the second token value is the same as the first token value, and if the second token value is the same as the first token value, successfully authenticate the second BFD packet.
  • the general CPU processor 1302 is further configured to: after the first token value is generated, and before the network processor 1303 receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • the first BFD packet further includes standard authentication request information
  • the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password
  • a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
  • modules and algorithm steps may be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether the functions are performed by hardware or software depends on particular applications and design constraint conditions of the technical solutions. A person skilled in the art may use different methods to implement the described functions for each particular application, but it should not be considered that the implementation goes beyond the scope of the present invention.
  • the disclosed apparatus and method may be implemented in other manners.
  • the described apparatus embodiment is merely exemplary.
  • the functional module division is merely logical function division and may be other division in actual implementation.
  • a plurality of modules or components may be combined or integrated into another system, or some features may be ignored or not performed.
  • the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented by using some interfaces.
  • the indirect couplings or communication connections between the apparatuses or modules may be implemented in electronic, mechanical, or other forms.
  • modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one position, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual requirements to achieve the objectives of the solutions of the embodiments.
  • modules in the embodiments of the present invention may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module.
  • the functions When the functions are implemented in the form of a software functional module and sold or used as an independent product, the functions may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of the present invention essentially, or the part contributing to the prior art, or some of the technical solutions may be implemented in a form of a software product.
  • the computer software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform all or some of the steps of the methods described in the embodiments of the present invention.
  • the foregoing storage medium includes: any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only network processor (ROM, Read-Only Memory), a random access network processor (RAM, Random Access Memory), a magnetic disk, or an optical disc.
  • program code such as a USB flash drive, a removable hard disk, a read-only network processor (ROM, Read-Only Memory), a random access network processor (RAM, Random Access Memory), a magnetic disk, or an optical disc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)

Description

    TECHNICAL FIELD
  • The present invention relates to the field of communications technologies, and in particular, to a security authentication method and a bidirectional forwarding detection BFD device.
    • BACKGROUND
  • The Bidirectional Forwarding Detection (Bidirectional Forwarding Detection, BFD) protocol can rapidly detect a communication fault between neighboring network devices, and a network device can switch traffic over to a backup link according to the rapidly detected fault, to speed up network convergence, thereby ensuring continuation of a service, reducing impact of a device fault or link fault on the service, and improving network availability. A BFD device includes a control plane formed by a general CPU processor and a data plane formed by a network processor (network processor, NP). To prevent cyberattacks, in the control plane, the BFD protocol supports three security authentication manners: (1) an authentication manner based on a simple password; (2) authentication based on message digest algorithm 5 (message digest algorithm 5, MD5); and (3) authentication based on Security Hash Algorithm 1 (security hash algorithm 1, SHA1); however, in the data plane, there is no manner of security authenticating a BFD packet by the NP yet in any prior art.
  • CN 102 932 318 A discloses a verification method and node for a BFD session. The method includes: an initiating node adds a first random number generated by the initiating node to a first BFD control packet and sending the first BFD control packet added with the first random number to a remote node., The remote node obtains and saves the first random number generated by the initiating node in the received first BFD control packet. The remote node adds a second random number generated by the remote node to the received first BFD control packet, and sends the first BFD control packet added with the second random number to the initiating node. The initiating node obtains and saves the second random number generated by the remote node in the received second BFD control packet.
    • SUMMARY
  • In order that an NP in a data plane of a BFD device can also perform security authentication, the present invention provide a security authentication method and a bidirectional forwarding detection BFD device.
  • According to a first aspect, a security authentication method is provided, including:
    • receiving, by a control plane of a local bidirectional forwarding detection BFD device, a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device;
    • generating, by the control plane of the local BFD device, a first token value according to the random nonce;
    • sending, by the control plane of the local BFD device, the first token value to a data plane of the local BFD device;
    • receiving, by the data plane of the local BFD device, a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce; and generating, by the data plane of the local BFD device, a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device, performing comparison to determine whether the second token value is the same as the first token value, and successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value.
  • With reference to the first aspect, in a first possible implementation manner, the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet; and
    • the generating, by the data plane of the local BFD device, the second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device includes:
      • generating, by the data plane of the local BFD device, the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the local BFD device.
  • With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner, the authentication information further includes a token value;
    • before the successfully authenticating, by the data plane of the local BFD device, the second BFD packet, the method further includes:
    • performing, by the data plane of the local BFD device, comparison to determine whether the token value included in the authentication information is the same as the first token value; and
    • the successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value includes:
      • successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • With reference to the first aspect or the first or second possible implementation manner of the first aspect, in a third possible implementation manner, after the generating, by the control plane of the local BFD device, the first token value, and before the receiving, by the data plane of the local BFD device, the second BFD packet that is sent by a data plane of the peer BFD device, the method further includes:
    • sending, by the control plane of the local BFD device, a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value; and the second token value is the first token value encapsulated in the second BFD packet.
  • With reference to the first aspect or any one of the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner, the control plane of the local BFD device generates the first token value by using a hash algorithm.
  • With reference to the first aspect or any one of the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation manner, the data plane of the local BFD device generates the second token value by using a hash algorithm the same as that of the control plane of the local BFD device.
  • With reference to the first aspect or any one of the first to fifth possible implementation manners of the first aspect, in a sixth possible implementation manner, the first BFD packet further carries an expiration time of the first token value, and the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes: generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • With reference to the first aspect or any one of the first to sixth possible implementation manners of the first aspect, in a seventh possible implementation manner, the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • With reference to the first aspect or any one of the first to seventh possible implementation manners of the first aspect, in an eighth possible implementation manner, the random nonce is carried by extending fields of the first BFD packet and second BFD packet.
  • With reference to the first aspect or any one of the first to eighth possible implementation manners of the first aspect, in a ninth possible implementation manner, the first BFD packet further includes authentication request information, the authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • According to a second aspect, a security authentication method is provided, including:
    • receiving, by a control plane of a local bidirectional forwarding detection BFD device, a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device;
    • generating, by the control plane of the local BFD device, a first token value according to the random nonce;
    • sending, by the control plane of the local BFD device, the first token value to a data plane of the local BFD device;
    • receiving, by the data plane of the local BFD device, a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a second token value; and performing, by the data plane of the local BFD device, comparison to determine whether the second token value is the same as the first token value, and successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value.
  • With reference to the second aspect, in a first possible implementation manner, after the generating, by the control plane of the local BFD device, the first token value, and before the receiving, by the data plane of the local BFD device, the second BFD packet that is sent by a data plane of the peer BFD device, the method further includes:
    • sending, by the control plane of the local BFD device, a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value; and the second token value is the first token value encapsulated in the second BFD packet.
  • With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner,
    • the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
    • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and the password.
  • With reference to the second aspect or the first possible implementation manner of the second aspect, in a third possible implementation manner,
    the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • With reference to the second possible implementation manner of the second aspect, in a fourth possible implementation manner,
    • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and the password and by using a first hash algorithm.
  • With reference to the second aspect or the first or third possible implementation manner of the second aspect, in a fifth possible implementation manner,
    • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
      • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet and by using a second hash algorithm.
  • With reference to the second or fourth possible implementation manner of the second aspect, in a sixth possible implementation manner,
    • the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, the password, and the expiration time.
  • With reference to the second aspect or the first or third or fifth possible implementation manner of the second aspect, in a seventh possible implementation manner, the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • With reference to the second or fourth or sixth possible implementation manner of the second aspect, in an eighth possible implementation manner, the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, the password, and the expiration time and by using a third hash algorithm.
  • With reference to the second aspect or the first or third or fifth or seventh possible implementation manner of the second aspect, in a ninth possible implementation manner, the first BFD packet further carries an expiration time of the token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a fourth hash algorithm.
  • With reference to the second aspect or any one of the first to ninth possible implementation manners of the second aspect, in a tenth possible implementation manner, the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • With reference to the second aspect or any one of the first to tenth possible implementation manners of the second aspect, in an eleventh possible implementation manner, the random nonce is carried by extending fields of the first BFD packet.
  • With reference to the second aspect or any one of the first to eleventh possible implementation manners of the second aspect, in a twelfth possible implementation manner, the second token value is carried by extending fields of the second BFD packet.
  • With reference to the second aspect or any one of the first to twelfth possible implementation manners of the second aspect, in a thirteenth possible implementation manner, the first BFD packet further includes authentication request information, the authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet.
  • According to a third aspect, a bidirectional forwarding detection BFD device is provided, including a control plane and a data plane, where
    the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane; and
    the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce; generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • With reference to the third aspect, in a first possible implementation manner, the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet; and
    • the data plane is specifically configured to generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the BFD device.
  • With reference to the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner,
    • the authentication information further includes a token value, and the data plane is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value included in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • With reference to the third aspect or the first or second possible implementation manner of the third aspect, in a third possible implementation manner,
    • the control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • According to a fourth aspect, a bidirectional forwarding detection BFD device is provided, including a control plane and a data plane, where
    • the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane; and
    • the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a second token value; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • With reference to the fourth aspect, in a first possible implementation manner, the control plane is further configured to: after the first token value is generated, and before the data plane of the local BFD device receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in a second possible implementation manner,
    • the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
    • the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and the password.
  • With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in a third possible implementation manner,
    • the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • With reference to the fourth aspect or any one of the first to third possible implementation manners of the fourth aspect, in a fourth possible implementation manner,
    • the control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • In the present invention, a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
    • BRIEF DESCRIPTION OF DRAWINGS
    • FIG. 1 is a flowchart of a security authentication method according to an embodiment of the present invention;
    • FIG. 2 is a flowchart of another security authentication method according to an embodiment of the present invention;
    • FIG. 3 is a schematic diagram of a BFD packet sent by an original data plane according to an embodiment of the present invention;
    • FIG. 4 is a schematic diagram of a BFD packet sent by an original control plane according to an embodiment of the present invention;
    • FIG. 5 is a schematic diagram of an MD5 authentication field in a BFD packet sent by an original control plane according to an embodiment of the present invention;
    • FIG. 6 is a schematic diagram of an SHA1 authentication field in a BFD packet sent by an original control plane according to an embodiment of the present invention;
    • FIG. 7 is a schematic diagram of a BFD packet carrying a random nonce and sent by an extended control plane according to an embodiment of the present invention;
    • FIG. 8 is a schematic diagram of a BFD packet carrying a random nonce and/or a token value and sent by an extended data plane according to an embodiment of the present invention;
    • FIG. 9 is a schematic flowchart of a security authentication method according to an embodiment of the present invention;
    • FIG. 10 is a schematic flowchart of a security authentication method according to an embodiment of the present invention;
    • FIG. 11 is a schematic structural diagram of a bidirectional forwarding detection BFD device according to an embodiment of the present invention;
    • FIG. 12 is a schematic structural diagram of a bidirectional forwarding detection BFD device according to an embodiment of the present invention; and
    • FIG. 13 is a schematic structural diagram of a bidirectional forwarding detection BFD device according to an embodiment of the present invention.
    DESCRIPTION OF EMBODIMENTS
  • To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the following clearly and completely describes the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are some but not all of the embodiments of the present invention. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the protection scope of the present invention.
  • The following further describes the embodiments of the present invention in detail with reference to accompanying drawings in this specification.
  • An embodiment of the present invention provides a security authentication method. Referring to FIG. 1, the method includes the following operations:
    • 101: A control plane of a local bidirectional forwarding detection BFD device receives a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
    • 102: The control plane of the local BFD device generates a first token value according to the random nonce.
    • 103: The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
    • 104: The data plane of the local BFD device receives a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce.
    • 105: The data plane of the local BFD device performs token authentication on the second BFD packet, where the performing, by the data plane of the local BFD device, token authentication on the second BFD packet includes: generating a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device, performing comparison to determine whether the second token value is the same as the first token value, and successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value.
  • In this embodiment of the present invention, a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
  • Optionally, the generating, by the control plane of the local BFD device, the token value according to the random nonce includes:
    • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
      • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet; and
      • the generating, by the data plane of the local BFD device, the second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device includes:
        • generating, by the data plane of the local BFD device, the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the local BFD device.
  • Optionally, the authentication information further includes a token value;
    • before the successfully authenticating, by the data plane of the local BFD device, the second BFD packet, the method further includes:
      • performing, by the data plane of the local BFD device, comparison to determine whether the token value included in the authentication information is the same as the first token value; and
      • the successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value includes:
        • successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • Optionally, after the generating, by the control plane of the local BFD device, the first token value, and before the receiving, by the data plane of the local BFD device, the second BFD packet that is sent by a data plane of the peer BFD device, the method further includes:
    • sending, by the control plane of the local BFD device, a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value; and the second token value is the first token value encapsulated in the second BFD packet.
  • Optionally, the control plane of the local BFD device generates the first token value by using a hash algorithm.
  • Optionally, the data plane of the local BFD device generates the second token value by using a hash algorithm the same as that of the control plane of the local BFD device.
  • Optionally, the first BFD packet further carries an expiration time of the first token value, and the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes: generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • Optionally, the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • Optionally, the random nonce is carried by extending fields of the first BFD packet and second BFD packet.
  • Optionally, the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet. An embodiment of the present invention provides another security authentication method. Referring to FIG. 2, the method includes the following operations:
    • 201: A control plane of a local bidirectional forwarding detection BFD device receives a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
    • 202: The control plane of the local BFD device generates a first token value according to the random nonce.
    • 203: The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
    • 204: The data plane of the local BFD device receives a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a second token value.
    • 205: The data plane of the local BFD device performs token authentication on the second BFD packet, where the performing, by the data plane of the local BFD device, token authentication on the second BFD packet includes: performing, by the data plane of the local BFD device, comparison to determine whether the second token value is the same as the first token value, and successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value. After the generating, by the control plane of the local BFD device, the first token value, and before the receiving, by the data plane of the local BFD device, the second BFD packet that is sent by a data plane of the peer BFD device, the method further includes:
      • sending, by the control plane of the local BFD device, a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value; and the second token value is the first token value encapsulated in the second BFD packet.
  • The first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
    • the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
      • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and the password.
  • Optionally, the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • Optionally, the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce that is carried in the first BFD packet and the password that is included in the standard authentication request information and by using a first hash algorithm.
  • Optionally, the generating, by the control plane of the local BFD device, the first token value according to the random nonce includes:
    • generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet and by using a second hash algorithm.
  • Optionally, the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, the password, and the expiration time.
  • Optionally, the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time.
  • Optionally, the first BFD packet further carries an expiration time of the first token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a third hash algorithm.
  • Optionally, the first BFD packet further carries an expiration time of the token value, and the control plane of the local BFD device generates the first token value according to the random nonce carried in the first BFD packet, a source IP address and a destination IP address that are included in the first BFD packet, and the expiration time and by using a fourth hash algorithm.
  • Optionally, the control plane of the local BFD device or peer BFD device includes a general CPU processor (such as an X86 processor); and the data plane of the local BFD device or peer BFD device is also referred to as a forwarding plane, including a network processor NP.
  • Optionally, the random nonce is carried by extending fields of the first BFD packet.
  • Optionally, the second token value is carried by extending fields of the second BFD packet.
  • Optionally, the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the control plane of the local BFD device generates the first token value according to the random nonce after successfully authenticating the first BFD packet. FIG. 3 shows a BFD packet sent by an original data plane; FIG. 4 shows a BFD packet sent by an original control plane, and a difference between the packet and the BFD packet that is sent by the original data plane shown in FIG. 3 is that an MD5/SHA1 authentication field is added in the packet; FIG. 5 and FIG. 6 present details of authentication fields in the BFD packet shown in FIG. 4; FIG. 7 shows a BFD packet that is sent by an extended control plane, where the BFD packet carries a random nonce, where a random nonce Random nonce field is added to original authentication types (for example, Auth Type based on MD 5 or SHA1 is 2/3/4/5), and to be compatible with a previous protocol, one bit R is reserved in an original 8-bit reserved field, and used to represent Random nonce, that is, if a value of R is 1, it indicates that Random nonce exists, and M of 1 bit represents message type of a request message or a response message; and FIG. 8 shows a BFD packet sent by an extended data plane in this embodiment of the present invention, where the BFD packet carries at least one of a random nonce and a token value, where a new authentication type Auth Type: Token Auth is newly added, for example, the type is 6, and in this type, either of the fields Random nonce and Token exists or both exist at the same time, and Expiration Time or Sequence Number may also exist.
  • The following describes, with reference to FIG. 9, a security authentication method provided in an embodiment of the present invention.
  • Step 1: A control plane of a peer BFD device sends a first BFD packet that includes standard authentication request information (for example, Auth Type based on MD5 or SHA1 is 2/3/4/5) to a control plane of a local BFD device, where the first BFD packet further carries a random nonce generated by the peer BFD device, and the first BFD packet may further carry an expiration time Expiration Time or a Sequence Number.
  • Step 2: The control plane of the local BFD device calculates a first token value according to the random nonce and by using a hash algorithm after successfully authenticating the first BFD packet, where the first token value may be generated according to the random nonce, and a source IP address and a destination IP address that are included in the first BFD packet, or may be generated according to the random nonce, a source IP address and a destination IP address that are included in the second BFD packet, and the expiration time.
  • Step 3: The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
  • Step 4: The control plane of the local BFD device sends the first token value to the control plane of the peer BFD device by using a response packet of the first BFD packet, where this step is optional, that is, the first token value may not be sent.
  • Step 5: The control plane of the peer BFD device sends the received first token value to the data plane, where this step is also optional, that is, if step 3 is not performed, step 4 is not performed either. Step 6: After a BFD session is up, the data plane of the peer BFD device sends the second BFD packet encapsulated with the random nonce Random nonce to the data plane of the local BFD device. When step 4 and step 5 are performed, the second BFD packet may also include a token value.
  • Step 7: The data plane of the local BFD device generates a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device, and performs comparison to determine whether the second token value is the same as the first token value, and the data plane of the local BFD device successfully authenticates the second BFD packet if the second token value is the same as the first token value.
  • The data plane of the local BFD device may generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a hash algorithm the same as that of the control plane, or the data plane of the local BFD device generates the second token value according to the random nonce included in the authentication information, a source IP address and a destination IP address in the second BFD packet, and the expiration time and by using a hash algorithm the same as that of the control plane.
  • When the authentication information further includes a token value, before the successfully authenticating, by the data plane of the local BFD device, the second BFD packet, the method further includes:
    • performing, by the data plane of the local BFD device, comparison to determine whether the token value included in the authentication information is the same as the first token value sent by the control plane of the local BFD device, and if a comparison result is that the two are the same, successfully authenticating, by the data plane of the local BFD device, the second BFD packet.
  • When the first token value expires, the foregoing steps 1 to 7 are re-performed.
  • The following describes, with reference to FIG. 10, another security authentication method provided in an embodiment of the present invention.
  • Step 1: A control plane of a peer BFD device sends a first BFD packet that includes standard authentication request information (for example, Auth Type based on MD5 or SHA1 is 2/3/4/5) to a control plane of a local BFD device, where the first BFD packet further carries a random nonce generated by the peer BFD device, and the first BFD packet may further carry an expiration time Expiration Time or a Sequence Number.
  • Step 2: The control plane of the local BFD device calculates a first token value according to the random nonce by using a hash algorithm after successfully authenticating the first BFD packet, where the first token value may be generated according to the random nonce and a password that is included in the standard authentication request information, or may be generated according to the random nonce, the password that is included in the standard authentication request information, and the expiration time Expiration Time.
  • Step 3: The control plane of the local BFD device sends the first token value to a data plane of the local BFD device.
  • Step 4: The control plane of the local BFD device sends the first token value to the control plane of the peer BFD device by using a response packet of the first BFD packet.
  • A sequence of the foregoing steps 3 and 4 may be interchanged, which is not limited in this embodiment of the present invention, and belongs to the protection scope of this embodiment of the present invention.
  • Step 5: The control plane of the peer BFD device sends the received first token value to the data plane. Step 6: After a BFD session is up, the data plane of the peer BFD device sends the second BFD packet encapsulated with the second token value to the data plane of the local BFD device.
  • Step 7: The data plane of the local BFD device performs comparison to determine whether the second token value is the same as the received first token value sent by the control plane, and if the second token value is the same as the first token value, the data plane of the local BFD device successfully authenticates the second BFD packet.
  • After the token expires, the foregoing steps 1 to 7 are re-performed.
  • As shown in FIG. 11, an embodiment of the present invention further provides a bidirectional forwarding detection BFD device 1100, including a control plane 1101 and a data plane 1102.
  • The control plane 1101 is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane 1102.
  • The data plane 1102 is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce; generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the control plane; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • Optionally, the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet; and
    • the data plane is specifically configured to generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the BFD device.
  • Optionally, the authentication information further includes a token value, and the data plane is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value included in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • Optionally, the control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • An embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including a control plane and a data plane.
  • The control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane.
  • The data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a second token value; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  • Optionally, the control plane is further configured to: after the first token value is generated, and before the data plane of the local BFD device receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • Optionally, the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
    • the control plane is specifically configured to generate the first token value according to
    • the random nonce carried in the first BFD packet and the password.
  • Optionally, the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • Optionally, the control plane includes a general CPU processor; and the data plane includes a network processor NP.
  • As shown in FIG. 12, an embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including an interface 1201, a general CPU processor 1202, a network processor 1203, and a bus 1204, where the interface 1201, the general CPU processor 1202, and the network processor 1203 are connected and perform mutual communication by using the bus 1204.
  • The bus 1204 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, a peripheral component interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, or the like. The bus 1204 may be classified into an address bus, a data bus, a control bus, and the like. For the ease of representation, the bus is represented only by a line in the figure, but it does not indicate that there is only one bus or only one type of bus.
  • The interface 1201 receives a first BFD packet sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
  • The general CPU processor 1202 is configured to generate a first token value according to the random nonce; and send the first token value to the network processor 1203.
  • The interface 1201 is further configured to receive a second BFD packet sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a random nonce.
  • The network processor 1203 is configured to generate a second token value according to the random nonce included in the authentication information and by using a calculation method the same as that of the general CPU processor 1202, perform comparison to determine whether the second token value is the same as the first token value, and if the second token value is the same as the first token value, successfully authenticate the second BFD packet.
  • Optionally, the general CPU processor 1202 is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • Optionally, the network processor 1203 is specifically configured to generate the second token value according to the random nonce included in the authentication information and a source IP address and a destination IP address that are included in the second BFD packet and by using a calculation method the same as that of the control plane of the BFD device.
  • Optionally, the authentication information further includes a token value, and the network processor 1203 is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value included in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value included in the authentication information is the same as the first token value.
  • An embodiment of the present invention further provides a bidirectional forwarding detection BFD device, including an interface 1301, a general CPU processor 1302, a network processor 1303, and a bus 1304, where the interface 1301, the general CPU processor 1302 and the network processor 1303 are connected and perform mutual communication by using the bus 1304.
  • The bus 1304 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, a peripheral component interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, or the like. The bus 1204 may be classified into an address bus, a data bus, a control bus, and the like. For the ease of representation, the bus is represented only by a line in the figure, but it does not indicate that there is only one bus or only one type of bus.
  • The interface 1301 receives a first BFD packet sent by a control plane of a peer BFD device, where the first BFD packet carries a random nonce generated by the peer BFD device.
  • The general CPU processor 1302 is configured to generate a first token value according to the random nonce; and send the first token value to the network processor 1303.
  • The interface 1301 is further configured to receive a second BFD packet sent by a data plane of the peer BFD device, where the second BFD packet carries authentication information, and the authentication information includes a token value.
  • The network processor 1303 is configured to perform comparison to determine whether the second token value is the same as the first token value, and if the second token value is the same as the first token value, successfully authenticate the second BFD packet.
  • Optionally, the general CPU processor 1302 is further configured to: after the first token value is generated, and before the network processor 1303 receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, where the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  • Optionally, the first BFD packet further includes standard authentication request information, the standard authentication request information includes at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message includes a password; and
    • the general CPU processor 1302 is specifically configured to generate the first token value
    • according to the random nonce carried in the first BFD packet and the password. Optionally, the general CPU processor 1302 is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are included in the first BFD packet.
  • In this embodiment of the present invention, a data plane of a BFD device performs token authentication on a second BFD packet by using token values, so that an NP of the data plane of the BFD device can also perform security authentication.
  • A person of ordinary skill in the art may be aware that, in combination with the examples described in the embodiments disclosed in this specification, modules and algorithm steps may be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether the functions are performed by hardware or software depends on particular applications and design constraint conditions of the technical solutions. A person skilled in the art may use different methods to implement the described functions for each particular application, but it should not be considered that the implementation goes beyond the scope of the present invention.
  • It may be clearly understood by a person skilled in the art that, for the purpose of convenient and brief description, for a detailed working process of the foregoing apparatus, reference may be made to a corresponding process in the foregoing method embodiments, and details are not described herein again.
  • In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the described apparatus embodiment is merely exemplary. For example, the functional module division is merely logical function division and may be other division in actual implementation. For example, a plurality of modules or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented by using some interfaces. The indirect couplings or communication connections between the apparatuses or modules may be implemented in electronic, mechanical, or other forms.
  • The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one position, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual requirements to achieve the objectives of the solutions of the embodiments.
  • In addition, functional modules in the embodiments of the present invention may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module.
  • When the functions are implemented in the form of a software functional module and sold or used as an independent product, the functions may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of the present invention essentially, or the part contributing to the prior art, or some of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform all or some of the steps of the methods described in the embodiments of the present invention. The foregoing storage medium includes: any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only network processor (ROM, Read-Only Memory), a random access network processor (RAM, Random Access Memory), a magnetic disk, or an optical disc.
  • The foregoing descriptions are merely specific implementation manners of the present invention, but are not intended to limit the protection scope of the present invention. Any variation or replacement readily figured out by a person skilled in the art within the technical scope disclosed in the present invention shall fall within the protection scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (15)

  1. A security authentication method, comprising:
    receiving (101), by a control plane of a local bidirectional forwarding detection BFD device, a first BFD packet that is sent by a control plane of a peer BFD device, wherein the first BFD packet carries a random nonce generated by the peer BFD device;
    generating (102), by the control plane of the local BFD device, a first token value according to the random nonce;
    sending (103), by the control plane of the local BFD device, the first token value to a data plane of the local BFD device;
    receiving (104), by the data plane of the local BFD device, a second BFD packet that is sent by a data plane of the peer BFD device, wherein the second BFD packet carries authentication information, and the authentication information comprises a random nonce; and
    generating, by the data plane of the local BFD device, a second token value according to the random nonce comprised in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device, performing comparison to determine whether the second token value is the same as the first token value, and successfully authenticating (105), by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value.
  2. The method according to claim 1, wherein
    the generating, by the control plane of the local BFD device, the first token value according to the random nonce comprises:
    generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are comprised in the first BFD packet; and
    the generating, by the data plane of the local BFD device, the second token value according to the random nonce comprised in the authentication information and by using a calculation method the same as that of the control plane of the local BFD device comprises:
    generating, by the data plane of the local BFD device, the second token value according to the random nonce comprised in the authentication information and a source IP address and a destination IP address that are comprised in the second BFD packet and by using a calculation method the same as that of the control plane of the local BFD device.
  3. The method according to claim 1 or 2, wherein the authentication information further comprises a token value;
    before the successfully authenticating, by the data plane of the local BFD device, the second BFD packet, the method further comprises:
    performing, by the data plane of the local BFD device, comparison to determine whether the token value comprised in the authentication information is the same as the first token value; and
    the successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value comprises:
    successfully authenticating, by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value, and the token value comprised in the authentication information is the same as the first token value.
  4. A security authentication method, comprising:
    receiving (201), by a control plane of a local bidirectional forwarding detection BFD device, a first BFD packet that is sent by a control plane of a peer BFD device, wherein the first BFD packet carries a random nonce generated by the peer BFD device;
    generating (202), by the control plane of the local BFD device, a first token value according to the random nonce;
    sending (203), by the control plane of the local BFD device, the first token value to a data plane of the local BFD device;
    receiving (204), by the data plane of the local BFD device, a second BFD packet that is sent by a data plane of the peer BFD device, wherein the second BFD packet carries authentication information, and the authentication information comprises a second token value; and
    performing, by the data plane of the local BFD device, comparison to determine whether the second token value is the same as the first token value, and successfully authenticating (205), by the data plane of the local BFD device, the second BFD packet if the second token value is the same as the first token value.
  5. The method according to claim 4, wherein
    after the generating, by the control plane of the local BFD device, the first token value, and before the receiving, by the data plane of the local BFD device, the second BFD packet that is sent by a data plane of the peer BFD device, the method further comprises:
    sending, by the control plane of the local BFD device, a response packet of the first BFD packet to the control plane of the peer BFD device, wherein the response packet carries the first token value; and
    the second token value is the first token value encapsulated in the second BFD packet.
  6. The method according to claim 4 or 5, wherein the first BFD packet further comprises standard authentication request information, the standard authentication request information comprises at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message comprises a password; and
    the generating, by the control plane of the local BFD device, the first token value according to the random nonce comprises:
    generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and the password.
  7. The method according to claim 4 or 5, wherein the generating, by the control plane of the local BFD device, the first token value according to the random nonce comprises:
    generating, by the control plane of the local BFD device, the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are comprised in the first BFD packet.
  8. A bidirectional forwarding detection BFD device, comprising a control plane (1101) and a data plane (1102), wherein
    the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, wherein the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane; and
    the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, wherein the second BFD packet carries authentication information, and the authentication information comprises a random nonce; generate a second token value according to the random nonce comprised in the authentication information and by using a calculation method the same as that of the control plane; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  9. The BFD device according to claim 8, wherein
    the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are comprised in the first BFD packet; and
    the data plane is specifically configured to generate the second token value according to the random nonce comprised in the authentication information and a source IP address and a destination IP address that are comprised in the second BFD packet and by using a calculation method the same as that of the control plane of the BFD device.
  10. The BFD device according to claim 8 or 9, wherein
    the authentication information further comprises a token value, and the data plane is further configured to: before successfully authenticating the second BFD packet, perform comparison to determine whether the token value comprised in the authentication information is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value, and the token value comprised in the authentication information is the same as the first token value.
  11. The BFD device according to any one of claims 8 to 10, wherein the control plane comprises a general CPU processor; and the data plane comprises a network processor NP.
  12. A bidirectional forwarding detection BFD device, comprising a control plane (1101) and a data plane (1102), wherein
    the control plane is configured to: receive a first BFD packet that is sent by a control plane of a peer BFD device, wherein the first BFD packet carries a random nonce generated by the peer BFD device; generate a first token value according to the random nonce; and send the first token value to the data plane; and
    the data plane is configured to: receive a second BFD packet that is sent by a data plane of the peer BFD device, wherein the second BFD packet carries authentication information, and the authentication information comprises a second token value; perform comparison to determine whether the second token value is the same as the first token value; and successfully authenticate the second BFD packet if the second token value is the same as the first token value.
  13. The BFD device according to claim 12, wherein the control plane is further configured to:
    after the first token value is generated, and before the data plane receives the second BFD packet that is sent by the data plane of the peer BFD device, send a response packet of the first BFD packet to the control plane of the peer BFD device, wherein the response packet carries the first token value, and the second token value is the first token value encapsulated in the second BFD packet.
  14. The BFD device according to claim 12 or 13, wherein the first BFD packet further comprises standard authentication request information, the standard authentication request information comprises at least one of authentication request information based on Message Digest Algorithm 5 MD5 and authentication request information based on Security Hash Algorithm 1 SHA1, and the standard authentication request message comprises a password; and
    the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and the password.
  15. The BFD device according to claim 12 or 13, wherein the control plane is specifically configured to generate the first token value according to the random nonce carried in the first BFD packet and a source IP address and a destination IP address that are comprised in the first BFD packet.
EP14869208.0A 2013-12-13 2014-11-18 Security authentication method and bidirectional forwarding detection method Active EP3068093B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310686766.5A CN103647777B (en) 2013-12-13 2013-12-13 Safety certificate method and bidirectional forwarding detection BFD equipment
PCT/CN2014/091340 WO2015085848A1 (en) 2013-12-13 2014-11-18 Security authentication method and bidirectional forwarding detection method

Publications (3)

Publication Number Publication Date
EP3068093A1 EP3068093A1 (en) 2016-09-14
EP3068093A4 EP3068093A4 (en) 2016-11-09
EP3068093B1 true EP3068093B1 (en) 2017-08-30

Family

ID=50252933

Family Applications (1)

Application Number Title Priority Date Filing Date
EP14869208.0A Active EP3068093B1 (en) 2013-12-13 2014-11-18 Security authentication method and bidirectional forwarding detection method

Country Status (4)

Country Link
US (1) US10097530B2 (en)
EP (1) EP3068093B1 (en)
CN (1) CN103647777B (en)
WO (1) WO2015085848A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103647777B (en) * 2013-12-13 2017-04-12 华为技术有限公司 Safety certificate method and bidirectional forwarding detection BFD equipment
CN104980449B (en) * 2015-08-03 2018-05-08 上海携程商务有限公司 The safety certifying method and system of network request
CN105592058A (en) * 2015-09-30 2016-05-18 杭州华三通信技术有限公司 Method and device for improving network communication safety
CN106100929B (en) * 2016-06-22 2019-06-21 新华三技术有限公司 The method and apparatus of two-way converting detection certification handoff-security
CN107277058B (en) * 2017-08-07 2020-03-20 南京南瑞集团公司 Interface authentication method and system based on BFD protocol
CN108769718B (en) * 2018-04-10 2020-12-15 武汉斗鱼网络科技有限公司 Barrage verification method, computer equipment and storage medium
CN108769720B (en) * 2018-04-10 2020-10-16 武汉斗鱼网络科技有限公司 Barrage verification method, computer equipment and storage medium
CN108769719B (en) * 2018-04-10 2020-12-15 武汉斗鱼网络科技有限公司 Barrage verification method, computer equipment and storage medium
CN108989283A (en) * 2018-05-31 2018-12-11 努比亚技术有限公司 A kind of request of data, control method, server, client terminal and storage medium
US11296881B2 (en) * 2019-10-30 2022-04-05 Microsoft Technology Licensing, Llc Using IP heuristics to protect access tokens from theft and replay
CN112653699B (en) * 2020-12-22 2022-08-12 迈普通信技术股份有限公司 BFD authentication method and device and electronic equipment
CN113453262B (en) * 2021-06-29 2023-10-20 新华三大数据技术有限公司 Bidirectional Forwarding Detection (BFD) method and device
CN113825135A (en) * 2021-09-18 2021-12-21 江苏亨鑫众联通信技术有限公司 Micro base station architecture construction authentication method, FPGA and unit product
CN115051984B (en) * 2021-11-22 2023-03-28 厦门大学 Distributed data plane verification method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080172582A1 (en) * 2007-01-12 2008-07-17 David Sinicrope Method and system for providing peer liveness for high speed environments
US8437272B2 (en) * 2007-08-16 2013-05-07 Cisco Technology, Inc. Distinguishing between connectivity verification availability and forwarding protocol functionality in a computer network
CN101252584B (en) * 2008-04-09 2011-04-20 华为技术有限公司 Authentication method, system and equipment for bidirectional forwarding detection protocol conversation
CN102932318A (en) * 2011-08-10 2013-02-13 华为技术有限公司 Verification method for bidirectional forwarding detection session and node
CN103297400A (en) * 2012-03-01 2013-09-11 中兴通讯股份有限公司 Security alliance management method and system based on bidirectional forwarding detection protocol
CN103647777B (en) 2013-12-13 2017-04-12 华为技术有限公司 Safety certificate method and bidirectional forwarding detection BFD equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
EP3068093A4 (en) 2016-11-09
CN103647777B (en) 2017-04-12
WO2015085848A1 (en) 2015-06-18
CN103647777A (en) 2014-03-19
US10097530B2 (en) 2018-10-09
EP3068093A1 (en) 2016-09-14
US20160285850A1 (en) 2016-09-29

Similar Documents

Publication Publication Date Title
EP3068093B1 (en) Security authentication method and bidirectional forwarding detection method
US9398026B1 (en) Method for authenticated communications incorporating intermediary appliances
US11140162B2 (en) Response method and system in virtual network computing authentication, and proxy server
US10242176B1 (en) Controlled access communication between a baseboard management controller and PCI endpoints
US8429403B2 (en) Systems and methods for provisioning network devices
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
US9954820B2 (en) Detecting and preventing session hijacking
TW201706900A (en) Method and device for authentication using dynamic passwords
WO2017016252A1 (en) Token generation and authentication method, and authentication server
US9401905B1 (en) Transferring soft token authentication capabilities to a new device
US10911581B2 (en) Packet parsing method and device
CN105262773A (en) A verification method and apparatus for an IOT system
CN104580553A (en) Identification method and device for network address translation device
KR20150135032A (en) System and method for updating secret key using physical unclonable function
CN103780389A (en) Port based authentication method and network device
CN101621527A (en) Method, system and device for realizing safety certificate based on Portal in VPN
US20140237627A1 (en) Protecting data in a mobile environment
CN103957194B (en) A kind of procotol IP cut-in methods and access device
CN106878233B (en) Method for reading security data, security server, terminal and system
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN113992387B (en) Resource management method, device, system, electronic equipment and readable storage medium
JP6070280B2 (en) Network authentication system, network authentication apparatus, network authentication method, and network authentication program
CN104468540B (en) A kind of Working mode switching method and PE equipment
CN112019418B (en) Method and device for establishing IPSec tunnel based on brutal mode
TWI641271B (en) Access authentication method, UE and access equipment

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20160609

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

A4 Supplementary search report drawn up and despatched

Effective date: 20161007

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/14 20060101ALI20160930BHEP

Ipc: H04L 29/06 20060101AFI20160930BHEP

Ipc: H04L 29/08 20060101ALI20160930BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

DAX Request for extension of the european patent (deleted)
RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101AFI20170302BHEP

Ipc: H04L 29/14 20060101ALI20170302BHEP

Ipc: H04L 29/08 20060101ALI20170302BHEP

INTG Intention to grant announced

Effective date: 20170320

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 924640

Country of ref document: AT

Kind code of ref document: T

Effective date: 20170915

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602014014015

Country of ref document: DE

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 4

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20170830

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 924640

Country of ref document: AT

Kind code of ref document: T

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171130

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171230

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171201

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171130

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602014014015

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

26N No opposition filed

Effective date: 20180531

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171118

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20171130

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171118

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171118

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20171130

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20141118

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20170830

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602014014015

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0065000000

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20220930

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20221010

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20220621

Year of fee payment: 9